Snapchat Users' Phone Numbers Exposed To Hackers

beaverdownunder writes with an extract from The Guardian, based on a security diclosure from Gibson Security: "Snapchat users' phone numbers may be exposed to hackers due to an unresolved security vulnerability, according to a new report released by a group of Australian hackers. Snapchat is a social media program that allows users to send pictures to each other that disappear within 10 seconds. Users can create profiles with detailed personal information and add friends that can view the photos a user shares. But Gibson Security, a group of anonymous hackers from Australia, has published a new report with detailed coding that they say shows how a vulnerability can be exploited to reveal phone numbers of users, as well as their privacy settings." Snapchat downplays the significance of the hole.

Re:Why in God's name...

[mstra]

Not defending it, but the way Snapchat works is that you find your "friends" based on their phone number. Not amazingly brilliant, but that's why.

Re:

[Anonymous Coward]

Especially when they basically have lied about the photos being deleted [theguardian.com].

Re:

[Warhawke]

They are deleted the same way that any normal OS deletes a photo -- removing the reference information from the drive header, thus marking the bits the data occupies as safe for rewriting. Until the bits are written over, the file remains intact. There's nothing at all disingenuous about stating the photos are deleted. Perhaps they aren't subject to a null-0 or random data string erasure, but the file is still, by all general computing definitions, deleted. Or do you think that pressing the delete key m

Re:

[mwvdlee]

Except they're not deleted like in a filesystem either.

According to GP's link, they merely get a ".nomedia" suffix, which stops Android from recognizing it. The file is still there, it takes up diskspace, is not going to be overwritten, they can be handled as normal files and renaming the files to remove the suffix restores it completely.

Re:

[Warhawke]

That may have been true several versions ago, but it isn't true now. Just tried a forensic analysis on my rooted device and it did not recover any .nomedia files (other than ones I had placed in there for other programs). Yes, the data still remains on the drive, but it functions the exact same way as deleting a file using a file manager. The reason forensic analysis is able to recover the data is not because it is readily accessible on the drive but because the actual file information persists on the di

Dumb people

[DogDude]

People who give out their phone number to random Internet "services" that they are not customers of quite frankly deserve to be assaulted by telemarketers at all hours.

Re:

[blue trane]

Yes, security through obscurity is the best way.

Re:

[DogDude]

It works well for telephone numbers.

Re:

[Anonymous Coward]

You sure? [xkcd.com]

Re:

[vlueboy]

People who give out their phone number to random Internet "services" that they are not customers of quite frankly deserve to be assaulted by telemarketers at all hours.

You really think it's their fault? Common sense has never been too strong when compared to status quo and people follow by lead. Thankfully, that helped us win some battles, in the past. After all, people now know about firefox and Ubuntu without being geeks themselves. Because they followed a geek trend that eventually became mainstream.

But trends are exactly what all big and small companies are following now. You can't sign up to Yahoo, Hotmail or Gmail without being asked for a cellphone number. Since th

Re:

[vlueboy]

Ultimately, the wise man is he who follows common sense despite trends, percentages and friendly pressures. But online nobody is truly wise with the NSA listening in.

Funny thought: Phone numbers are nothing --they're in the phonebook after all...
a really bad day for the web is the day some Dark Snowden comes to release some exploit with even a percent of the treasure trove of data that governments themselves have at their disposal.

Replying to myself:
We need to coin a new Godwin's type of law
How quickly can we bring up NSA-like involvement in some random online thread?
I dub thee "Snowden's Law"

Re:

[aaronb1138]

Arguably, the NSA has hurt 5-7 orders of magnitude fewer innocents than Hitler.

I would even venture to say that like proposed large scale E85 adoption in L.A., Snowden has likely caused more unwarranted innocent deaths (via stress; i.e. heart attacks and blood pressure, arguments, fear, paranoia) than the NSA has previously per any equal time period.

Peeping toms (in the traditional sense) don't result in another person feeling genuinely raped. The Snowden/NSA is just public voyeurism about institutional vo

Re:

[PlusFiveTroll]

I would venture to say that you cannot make any assumption from hidden information. The NSA holds almost all the information on what they have done and who they have given information to. You, on the other hand, don't know jack shit about what the NSA does, well other then monitoring most of the worlds communications. Therefore you are jerking it just as hard as everyone else in the circle.

Re:

[mwvdlee]

Just like you giving out your email address to subscribe to Slashdot (which does not make you a customer), make you deserving of spam?

Snapchat... Yeah...

[Frosty Piss]

OK, doesn't concern me.

Re:

[Frosty Piss]

THANK GOODNESS.

I was on edge all day today, wondering whether this concerned you.

Now that I have my answer, I can reset easy tonight.

You're welcome! I try! Sorry to stress you out, if only I had your phone number, I could keep you more up to date.

Re:

[game kid]

Just make sure to save all documents and flush all cache to your disks before resetting.

867-5309

[Joe_Dragon]

just dial any area code.

Re:

[istartedi]

I don't want to think too much about how many people on Slashdot will not get that reference [youtube.com].

Re:

[EETech1]

Jenny!!!

Is that you?

Re:

[gmhowell]

Sorry, you've got a wrong number; this is Stacy's Mom.

"due to an unresolved security vulnerability"

[rmdingler]

Sure. In exactly the same fashion as unintended casualties are collateral damage.

This is verbiage of the initial Target press release. It sounds like my government talking to me.

Re:

[Nyder]

Sure. In exactly the same fashion as unintended casualties are collateral damage.

This is verbiage of the initial Target press release. It sounds like my government talking to me.

They probably hired the same PR firm.

Re:

[rmdingler]

Probably, unless they are now fungible....

I love that term. Previously, I described the identical phenomenon with "Six of one or half a dozen".

Snapchat is right

[murdocj]

This is a non-issue.
Guess what, there are these big books that list names and the associated phone numbers.

Re:

[Anonymous Coward]

What is a non-issue? That their claims of protecting your phone number isn't actually true? That seems to only be a "non-issue" if you're on their payroll.

Re:

[murdocj]

You mean that you can use the snapchat feature to see if a particular phone number is associated with a snapchat user? It's not like someone is hacking into their database and extracting a list of users. The "hack" is doing an upload of every possible phone number and seeing if there are any hits.

Re:

[Kalriath]

... in the same way as reading the entire phone book to see which numbers belong to people is a "vulnerability" in the telco industry.

Re:

[Anonymous Coward]

Those books, do they also contain pink pictures of the persons behind the numbers? Where can I get them?

Re:

[murdocj]

There are these things called facebook and google that pretty much can get you anything that anyone has stored on the system of tubes.

Re:

[masterofthumbs]

Considering the application runs on your phone, it pulls the number from the phone automatically. You also need to log into the application using a username and password so the phone number isn't used for anything really affecting your login. The phone number is used to help anyone that has your phone number in their contacts to find you on snapchat. Unless you make your snapchat username the same as your real name, there is nothing tying some random collection of letters to your phone number other than thi

It's OK

[bigdavex]

But the phone numbers disappear after 10 seconds, right?

Hmmm

[wbr1]

Snapchat downplays the significance of the hole.

Isn't that their entire business model? Encourage more people to show of their naughty bits, therefore "downplaying the significance of the hole."

Public service announcement

[WOOFYGOOFY]

For some of the younger readers: snapchat can't actually guarantee that your photo is deleted, so don't send anything you don't want all over the web, as ever.

For instance, anyone you send your photo to could screen capture your photo before it disappears, then pass that screen capture around.

Someone could also be between you and your recipient and be capturing everything you send.

Just so you know.

Re:

[CodeBuster]

In fairness even many non-technical adults get this wrong. Because they don't understand how technology actually works they fail to understand that "privacy controls" don't actually control anything. This is true because the data, whether "deleted" or not, continues to exist in the company's databases which are likely copied and backed up in many places. As the parent said, if you gave it to them once they have it forever. It should also be remembered that when a company is bought or sold, the new owners mi

Article is Baloney

[retroworks]

This "Gibson" firm got their name in the papers, for what? Because a hacker "may" be able to see phone numbers with a username attached. So what? Where I live they still print peoples names and phone numbers in the phone book, which is available at the public library. What exactly bad is going to happen when someone decides to hack Snapchat to obtain those phone numbers?

Re:

[Kalriath]

The exploit according to Gibson is that Snapchat doesn't rate limit calls to "find_friends" to prevent massive automated brute force queries to get user details. In all fairness, considering the massive processing power behind Snapchat and the fact that your server is more likely to deplete its available resources before theirs (they're on Google App Engine apparently), there really should be rate limiting, even 1 request per second would make automated hammering non-viable.

Fake it

[pubwvj]

This is why I give out fake information. I have no reason to trust them so I give fake birthdays, fake phone numbers, fake addresses, fake names, what ever it takes. There is no reason to give them valid information. They are not to be trusted. You should pick and choose which information you want to give. Feel no obligation to answer a question truthfully just because some corporation asks you.

Obstificate.

Re:

[pubwvj]

You are probably right so let's enjoy our right to lie while we can. Let lying dogs sleep. :)

Re:

[qubezz]

This is why snapchat was worth $3B to Yahoo, you install it on your phone, where it can vacuum up your real contacts and other data from your phone and send it along to the server. If you don't put in your real name, someone else has.

"exposed to HACKERS""

[Anonymous Coward]

But ONLY to "hackers", because they're like extraspecial and shit.

Phone Numbers are not private

[Hey_Jude_Jesus]

We give them out to friends, family, retailers, employers and for thousand of other reasons. The same goes for an email address.

Don't need 75000 queries to identif 75000 accounts

[fatphil]

Maybe only 17 queries are required. So even if they did to some kind of rate-limitting to prevent mass sucks of account names, they'd not stop the leak.

Number all the names you're interested in binary. If you have 75000 names, then the binary numbers will be 17 bits long. In the first query, do a lookup on the (75000-65536) contacts which have a set 16th bit. Store all the results. In the second query, do a lookup on all the 32768 contacts which have a set 15th bit, again, store those. In the third query, d

Re:

[wonkey_monkey]

I'm entirely nonplussed by your post.

Don't need 75000 queries to identif 75000 accounts

What do you mean by "identify"?

Number all the names you're interested in binary.

Snapchat usernames? Or names of humans you suspect of having a snapchat account?

In the first query, do a lookup on the (75000-65536) contacts which have a set 16th bit.

What kind of lookup are you talking about?

Re:

[wonkey_monkey]

Okay, after finding this [gibsonsec.org] (who the hell presents a security disclosure as a single PNG?!) I'll have another stab at what you're suggesting.

Suppose you have 75,000 phone numbers you want to try to link to snapchat accounts. Snapchat allows (or allowed) you to specify at least up to this amount of numbers in a single query - the only trouble is, it won't tell you which of the many results you receive is associated with which of the numbers you sent in the query.

By doing ~17 queries on subsets of the 75,000 num

Snapchat users private parts exposed to hackers

[Jamie Ian Macgregor]

who gives a crap about their phone numbers when their genitals are on display for the world to see.